It’s Friday, you managed to escape for a couple of hours from a busy working day to see a doctor. Now you have to wait in a boring waiting room at the clinic until it’s your turn to see her majesty. What would you like to do in this time? Answer pending business emails, get lost in social media, or choose a new theme to make your iPhone look awesome? What about: all of the above? It’s nice to have everything on your iPhone: MDM enrollment to access business data, in addition to jailbreak for device freedom. However, MDM solutions ban jailbroken devices, because they are not secure enough to handle sensitive business data. And so, cat and mouse games of jailbreak detection/bypass between MDM solutions and some users develop.
In this blogpost, I highlight how this cat and mouse game with Google’s MDM solution “Google Endpoint Management” is currently going. First, I explain how to bypass jailbreak detection of Google’s MDM solution. Then I show how to manipulate MDM enforced policies on your MDM-enrolled jailbroken device. Since these actions have negative impacts on your device’s security, we’ll also discuss how attackers can exploit this insecure setup to steal business data.
“If it’s a thing, then there’s an app for it!”…We trust mobile apps to process our bank transactions, handle our private data and set us up on romantic dates. However, few of us care to wonder,”How (in)secure can these apps be?” Well… at Troopers 19, you can learn how to answer this question yourself!
In our 2 day long “Hacking mobile applications” workshop, we teach how to find security vulnerabilities in mobile apps, exploit them and defend against them. We start from scratch, therefore no prior experience in hacking or developing mobile apps is required. Whether you want to learn how to pentest mobile apps, you are an app developer that fancies to secure his/her apps, or just curios, our workshop is a jumpstart to your goal.
“This document was produced jointly with the OWASP mobile security project. It is also published as an ENISA deliverable in accordance with our work program 2011. It is written for developers of smartphone apps as a guide to developing secure apps. It may however also be of interest to project managers of smartphone development projects.
In writing the top 10 controls, we considered the top 10 most important risks for mobile users as described in (1) and (2). As a follow-up we are working on platform-specific guidance and code samples. We hope that these controls provide some simple rules to eliminate the most common vulnerabilities from your code.”
After having a first look at the document’s content I can, while not being a developer myself, state there’s a lot of valuable guidance in it. Which is particularly useful as our assessment experience shows that quite some things (examples to be discussed in this upcoming talk at Troopers) can go wrong as for application security on smartphones.